Reverse Proxy HTTPS
Configuration d'un reverse proxy avec letsencrypt
Installation
| Bash |
|---|
| apk add nginx openssl certbot --update
|
Configuration NGINX
Configuration globale
| Bash |
|---|
| mv /etc/nginx/nginx.conf /etc/nginx/[old]-nginx.conf
nano /etc/nginx/nginx.conf
|
Copier ce contenu :
| Text Only |
|---|
| user nginx;
worker_processes auto;
# Configures default error logger.
error_log /var/log/nginx/error.log warn; # Log warn, error, crit, alert, emerg
events {
# The maximum number of simultaneous connections that can be opened by a worker process.
worker_connections 1024; # increase if you need more connections
}
http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64; # controls the maximum length of a virtual host entry (ie domain name)
server_tokens off; # hide who we are, don't show nginx version to clients
sendfile on; # can cause issues
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 0;
# nginx will find this file in the config directory set at nginx build time
# Includes mapping of file name extensions to MIME types of responses
include mime.types;
# fallback in case we can't determine a type
default_type application/octet-stream;
# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;
# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;
# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Sets the path, format, and configuration for a buffered log write.
# Buffer log writes to speed up IO, or disable them altogether
access_log /var/log/nginx/access.log main buffer=16k;
#access_log off;
# Include files with config snippets into the root context.
include conf.d/*.conf;
# Includes virtual hosts configs.
include http.d/*.conf;
}
|
Configuration SSL
| Bash |
|---|
| mkdir /etc/nginx/conf.d
nano /etc/nginx/conf.d/ssl-params.inc
|
Puis copier ce contenu :
| Text Only |
|---|
| # secure nginx, see https://cipherli.st/
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver_timeout 5s;
# https://hstspreload.org
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
|
Génération du fichier ssl_dhparam
Cela peut être un peu long.
| Bash |
|---|
| openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
|
Configuration Commune
En-tête
| Bash |
|---|
| nano /etc/nginx/conf.d/proxy_set_header.inc
|
| Text Only |
|---|
| proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
|
ou pour test
| Text Only |
|---|
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
|
Redirection HTTP vers HTTPS
| Bash |
|---|
| nano /etc/nginx/conf.d/redirect_http.inc
|
| Text Only |
|---|
| location / {
return 301 https://$host$request_uri;
}
|
Configuration HTTP (obligatoire)
Nous créerons dans le répertoire /etc/nginx/http.d un fichier conf par service, exemple :
- /etc/nginx/http.d/default.conf
- /etc/nginx/http.d/www.exemple.fr
- /etc/nginx/http.d/www.exemple.com
www.exemple.fr
| Bash |
|---|
| nano /etc/nginx/http.d/www.exemple.fr.conf
|
| Text Only |
|---|
| server {
listen 80;
listen [::]:80;
server_name www.exemple.fr;
}
|
Configuration HTTPS
Couper nginx
Création du certificat
| Bash |
|---|
| certbot certonly -d www.exemple.fr
|
www.exemple.fr
Modifier le fichier
| Bash |
|---|
| nano /etc/nginx/http.d/www.exemple.fr.conf
|
| Text Only |
|---|
| server {
listen 80;
listen [::]:80;
server_name www.exemple.fr;
include conf.d/redirect_http.inc;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.exemple.fr;
ssl_certificate /etc/letsencrypt/live/www.exemple.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.exemple.fr/privkey.pem;
include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters
location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://ip-du-serveur:port-du-service;
proxy_cache_bypass $http_upgrade;
}
}
|
Démarrer le service
| Bash |
|---|
| rc-service nginx start
rc-update add nginx
|
Renouvellement
| Bash |
|---|
| nano /etc/periodic/weekly/certbot_renew
|
| Text Only |
|---|
| #!/bin/sh
rc-service nginx stop
certbot renew --quiet
rc-service nginx start
|
| Bash |
|---|
| chmod +x /etc/periodic/weekly/certbot_renew
|